HashiCorp Vault

HashiCorp's Vault configuration file

Type object
File match vault.json vault.config.json
Schema URL https://catalog.lintel.tools/schemas/schemastore/hashicorp-vault/latest.json
Source https://www.schemastore.org/vault.json

Validate with Lintel

npx @lintel/lintel check
Type: object

A JSON schema for Vault's configuration file. https://developer.hashicorp.com/vault/docs/configuration

Properties

disable_mlock boolean required

Stops Vault from executing the mlock syscall, which prevents memory from being swapped to disk. This can also be provided via the environment variable VAULT_DISABLE_MLOCK.

listener object[] required
storage object required
One of: in-memory storage object, file storage backend object, raft storage backend object, consul storage backend object, s3 storage backend object
api_addr string

Specifies the address (full URL) to advertise to other Vault servers in the cluster for client redirection. This can also be provided via the environment variable VAULT_API_ADDR.

cache_size string

Specifies the size of the read cache used by the physical storage subsystem. The value is in number of entries, so the total cache size depends on the size of stored entries.

Default: "131072"
cluster_addr string

Specifies the address to advertise to other Vault servers in the cluster for request forwarding. This can also be provided via the environment variable VAULT_CLUSTER_ADDR.

cluster_name string

Specifies a human-readable identifier for the Vault cluster. If omitted, Vault will generate a value.

default_lease_ttl string

Specifies the default lease duration for tokens and secrets. This is specified using a label suffix like '30s' or '1h'.

Default: "768h"
default_max_request_duration string

Specifies the default maximum request duration allowed before Vault cancels the request.

Default: "90s"
detect_deadlocks string

A comma separated string that specifies the internal mutex locks that should be monitored for potential deadlocks.

disable_cache boolean

Disables all caches within Vault, including the read cache used by the physical storage subsystem.

Default: false
disable_clustering boolean

Specifies whether clustering features such as request forwarding are enabled.

Default: false
ha_storage object
One of: in-memory storage object, file storage backend object, raft storage backend object, consul storage backend object, s3 storage backend object
introspection_endpoint boolean

Enables the sys/internal/inspect endpoint which allows users with a root token or sudo privileges to inspect certain subsystems inside Vault.

Default: false
log_level const: "trace" | const: "debug" | const: "info" | const: "warn" | const: "error"

Specifies the log verbosity level

Default: "info"
max_lease_ttl string

Specifies the maximum possible lease duration for tokens and secrets.

Default: "768h"
pid_file string

Path to the file in which the Vault server's Process ID (PID) should be stored.

plugin_directory string

A directory from which plugins are allowed to be loaded.

raw_storage_endpoint boolean

Enables the sys/raw endpoint which allows the decryption/encryption of raw data into and out of the security barrier.

Default: false
seal object[]
telemetry object
3 nested properties
prometheus_retention_time string

Specifies the retention time for Prometheus metrics.

Default: "0"
disable_hostname boolean

If true, the hostname will not be prefixed to metrics.

Default: false
dogstatsd_addr string

The address of a DogStatsD agent.

ui boolean

Enables the built-in web UI.

Default: false

Definitions

storageBackend object